[git] GPGME - branch, master, updated. gpgme-1.11.1-242-g53c5b9a

by Werner Koch cvs at cvs.gnupg.org
Mon Aug 27 11:52:42 CEST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG Made Easy".

The branch, master has been updated
       via  53c5b9a265d33f2cc54f489375a929602338aee8 (commit)
       via  702566b36c1138b2154ce054254641edcbe472fb (commit)
      from  4f28fbddd3d70eb7e3ce874b1673630142110b72 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 53c5b9a265d33f2cc54f489375a929602338aee8
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 27 11:42:27 2018 +0200

    json: Do not put FILE_NAME into the verify result.
    
    * src/gpgme-json.c (verify_result_to_json): Remove "file_name".
    --
    
    Having the file name in the verify result may lead developers to
    assume that the file name is covered by the signature.  This is not
    the case and can easily be checked by hex-editing a signed message.
    We better don't output it at all.
    
    The same is true for the is_mime flag but that is anyway only an
    advisory and I can't see damage from a faulty one.
    
    Note that we keep file_name in gpgme's output for ABI stability and
    because some tools want to display meta information even if they are
    subject to tampering.  This is similar to the non-encrypted subject in
    mails.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/gpgme-json.c b/src/gpgme-json.c
index 9358269..8812024 100644
--- a/src/gpgme-json.c
+++ b/src/gpgme-json.c
@@ -1138,7 +1138,6 @@ verify_result_to_json (gpgme_verify_result_t verify_result)
 {
   cjson_t result = xjson_CreateObject ();
 
-  xjson_AddStringToObject0 (result, "file_name", verify_result->file_name);
   xjson_AddBoolToObject (result, "is_mime", verify_result->is_mime);
 
   if (verify_result->signatures)
@@ -2107,8 +2106,8 @@ static const char hlp_verify[] =
   "data:   The verified data.  This may be base64 encoded.\n"
   "base64: Boolean indicating whether data is base64 encoded.\n"
   "info:   An object with verification information (gpgme_verify_result_t).\n"
-  " file_name: Optional string of the plaintext file name.\n"
   " is_mime:    Boolean that is true if the messages claims it is MIME.\n"
+  "             Note that this flag is not covered by the signature.)\n"
   " signatures: Array of signatures\n"
   "  summary: Object containing summary information.\n"
   "   Boolean values: (Check gpgme_sigsum_t doc for meaning)\n"

commit 702566b36c1138b2154ce054254641edcbe472fb
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 27 11:34:30 2018 +0200

    doc: Add warning that FILE_NAME is not part of the signed data.
    
    --

diff --git a/doc/gpgme.texi b/doc/gpgme.texi
index aff7240..5c1757d 100644
--- a/doc/gpgme.texi
+++ b/doc/gpgme.texi
@@ -5845,7 +5845,15 @@ verification was attempted.
 
 @item char *file_name
 This is the filename of the original plaintext message file if it is
-known, otherwise this is a null pointer.
+known, otherwise this is a null pointer.  Warning: The filename is
+not covered by the signature.
+
+ at item unsigned int is_mime : 1;
+ at since{1.11.0}
+
+The message claims that the content is a MIME object.  Warning: This
+flag is not covered by the signature.
+
 @end table
 @end deftp
 
diff --git a/src/gpgme.h.in b/src/gpgme.h.in
index 3596801..e4ea466 100644
--- a/src/gpgme.h.in
+++ b/src/gpgme.h.in
@@ -1591,11 +1591,12 @@ struct _gpgme_op_verify_result
 {
   gpgme_signature_t signatures;
 
-  /* The original file name of the plaintext message, if
-     available.  */
+  /* The original file name of the plaintext message, if available.
+   * Warning: This information is not covered by the signature.  */
   char *file_name;
 
   /* The message claims that the content is a MIME object.  */
+  /* Warning: This flag is not covered by the signature.  */
   unsigned int is_mime : 1;
 
   /* Internal to GPGME; do not use.  */

-----------------------------------------------------------------------

Summary of changes:
 doc/gpgme.texi   | 10 +++++++++-
 src/gpgme-json.c |  3 +--
 src/gpgme.h.in   |  5 +++--
 3 files changed, 13 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
GnuPG Made Easy
http://git.gnupg.org

More information about the Gnupg-commits mailing list